- Cyberattack hit nearly 30 EU entities via Trivy update
- TeamPCP stole AWS keys, enabling large-scale data exfiltration
- ShinyHunters leaked 340GB of sensitive Commission-related data
The recent cyberattack on the European Commission (EC) may have been a lot worse than initially thought, as we now know it affected almost 30 different European Union (EU) entities.
In an updated security notice, the European Union’s Cybersecurity Service (CERT-EU) blamed the intrusion on TeamPCP, and shared more details about what had happened.
The attack saw TeamPCP, a relatively unknown threat actor, manage to get a malicious version of Trivy into the update stream that users trust. Trivy is an open source security scanner built by Aqua Security to detect vulnerabilities and misconfigurations. This malicious version allowed TeamPCP to obtain an Amazon Web Services (AWS) API key of the European Commission, which granted them control over other AWS accounts affiliated with the EC.
TeamPCP
Amazon confirmed this was not a breach of its own systems and that it operates as it should.
Using the stolen AWS secrets, TeamPCP exfiltrated data from the affected cloud environment, the EC then confirmed. “The exfiltrated data relates to websites hosted for up to 71 clients of the Europa web hosting service: 42 internal clients of the European Commission, and at least 29 other Union entities.”
It doesn’t name which entities those are, but some of the more notable ones include the European Parliament, Council of the European Union, and the European External Action Service. Other agencies that may have been affected include the European Medicines Agency, European Banking Authority, ENISA, or Frontex.
Soon after news of the breach broke, a group known as ShinyHunters claimed the incident, saying they nabbed “data dumps of mail servers, databases, confidential documents, contracts, and much more sensitive material”. In total, the hackers posted 340GB of data, compressed into a 91.7GB archive.
“Analysis of the published dataset has so far confirmed the presence of personal data, including lists of names, last names, usernames, and email addresses, predominantly from the European Commission’s websites but potentially pertaining to users across multiple Union entities,” EU-CERT said.
The dataset also contains at least 51,992 files related to outbound email communications, the majority of which are automated notifications “with little to no content”.
Via BleepingComputer
